The world according to Sven-S. Porst

Apple’s Mail has been supporting the signing and encrypting of messages since its version of Mac OS X.3. Even better, Apple didn’t develop their own homebrew solution for doing this but just implemented existing standards that are also supported by other e-mail applications, e.g. those from the Netscape family (I don’t know about Windows clients like Outlook, any hints about those?). This means that if you’re using Apple’s Mail or any of those other applications you have all the software you need for signing or encrypting messages right there at your fingertips.

But you probably won’t have used it yet. Why? Because in addition to the software that can do the singing and encrypting you’ll need your own certificate that will be used for those steps. However, these certificates don’t grow on trees but they have to be issued by certain authorities. If they aren’t, e-mail applications may, or rather should, refuse to use them as they can’t verify who issued them.

And that’s probably the reason why you haven’t used or seen the encryption features yet although you might like the idea of sending encrypted messages to ensure you mail can’t be read by any of the companies owning some bit of the wires or computers that your e-mail passes through on its way around the world.

The good news is that getting a certificate isn’t exactly hard. To get one you just need to sign up with Thawte who issue certificates free of charge. Read and follow these detailed instructions on how to get and use certificates and you’re done. You can then sign your e-mail messages to anybody. And if the recipient happens to have both a certificate and a capable e-mail client as well, you’ll be able to send each other encrypted messages after signatures have been exchanged.

As desirable as keeping your e-mails private may be, what keeps it from working is that many people don’t have certificates themselves and thus cannot do it. So I want to encourage you to get a certificate yourself if you don’t have one yet and then tell five people you know – and who are likely to want to use encryption – about it, asking them to do the same as you did.

If you’re interested to get into encryption as well, just send me a signed message and I’ll add you to the list. If possible, include the address of a post of yours where you’re trying to get other people involved, so I can put up a link as well.

All right, now that I’ve put up that rather positive spin up there, let me also mention that there remain a number of issues with encryption and the scheme used for it in Apple’s Mail. For various, technical as well as ‘psychological’ reasons we won’t see encryption used by everyone soon. But it’s still worth to discuss those reasons and the difficulties that can arise or the objections that people may have. My impression remains that even with those limitations cryptography features in e-mail aren’t used as widely as they could be at this time.

So even if you are not using encryption as it is offered by Apple’s mail, it will be interesting to hear what you think about the topic. Is is just for the overly paranoid? Is the technology too weak? Shouldn’t we just use PGP instead? I’m sure arguments can be made for many points.

Comments

The only down-side to signing your emails is when you send it to a Windows Outlook user. The message will indeed be signed (and encrypted, if you both have certificates), but they will see the signature as an attachment which they cannot open. This causes some confusion if the Windows user in question is not familiar with digital signatures. I remain hopeful that Microsoft will eventually fix this bug so that everybody can sign their emails without the possibility confusing the recipient.

The Mac’s “Mail” program, of course, doesn’t count the signature as an attachment. Just one of a bazillion things Apple does to make the Mac experience so amazing.

The questions should be reversed. Yes, the technology is too weak, in the sense that there is far too much work (read: more than none) involved in encrypting e-mail. Because of that, doing so has so far remained something “for the overly paranoid”.

Nobody in their right mind minds the idea of encryption. But having to read a tutorial first, etc., makes things far too complicated for the average person.

The concept of “certificates” is just way over the head of most people.

I would be interested to know how iChat 3.1 does encryption (for .mac users); it appears it doesn’t require any additional user interaction other than turning it on. Obviously, it is linked to the user’s .mac account, so maybe it is a system where Apple gets to be the certificate authority, automatically issuing certificates to the user. But either way, it would appear to be a much more seamless process.

Similarly, Adium (and Gaim) features encryption as well, using “Off-the-Record Encryption”. I don’t know exactly how this works, although it involves private keys and fingerprints.

Now, I personally consider e-mail an unfixable, to-be-redesigned-from-scratch technology, but from what I’ve seen so far, it really should be able to perform better in this regard.

We do use (hack, ptui) Outlook/Exchange at work, and not only did I get a certificate for my work email address, I also got my boss set up with one as well. Add that to the fact that we’re switching to ssl’ed Jabber for our departmental IM needs and I’m feeling good about things all around. :)

Sören, I’m not in a position to assign the ‘too negative’ label to others. But you may be seeing the problem in the wrong place.

Technically, encrypting messages and sending them through e-mail is not a problem. And Apple have given us a nice non-technical implementation of that, meaning that the only obstacle that remains is getting a certificate, i.e. what I like to call the ‘social’ aspect of encryption. And I don’t think we can easily skip that obstacle soon.

I tried to avoid writing about this above because it’s not a very simple topic and would require a big number or words that weren’t my main concern this time. But the bottom line is that establishing the connection between a certificate and the owner is difficult and cannot be done automatically by the people who issue certificates these days.

As for iChat encryption: I don’t have a .Mac account myself so I had to collect the information from others who do (thanks Pierre!). It seems that on activating iChat encryption, iChat downloads a certificate from .Mac that is set up to be used by iChat only. From the information I got, I couldn’t figure out how this works, but it looks pretty much like it’d be too optimistic to hope that you could make iChat use some other certificate.

that sounds quite good. Do you have any insight in how much encryption technology is used in businesses and other ‘real world’ institutions? Will companies which auto-attach a few pages of ‘THIS IS CONFIDENTIAL’ crap on each of their employees’ emails actually make sure stuff is encrypted wherever it can be? And if they do, are the people who set it up for them competent enough to ensure there aren’t any dangerous gaps?

Well, to avoid all some hassle, I have shared a very strong paraphrase with some people I work with. I then create encrypted disk images with any messages and files, and that is attached to an email. There are two setbacks, 1) sharing the paraphrase, but in my line of work if it’s worth sharing documents that are encrypted I have met the person in meatspace. 2) It helps if they are Mac users, but there are ways around that.

On sharing a paraphrase outside meatspace: a phone call works, but then, someone may be listening. :)

Generally, I only do this with people who work for Corporations. The kind of people who send emails with long legal disclaimers as a signature, but never bother to understand what GPG (or PGP) is all about.

Thanks for the tip. I had forgotten about Thawte’s e-mail certificates and will sign my messages from now on.

At work we use Outlook 2003. In a quick test I found that mail signed by my Mac shows up nicely with a “seal” logo in Outlook. The recipient can click the logo which will state that the message signature is valid and they can view the certificate. Now if only I could figure out how to get my certificate into Outlook so I can sign mail I send from there…

Nate — Thawte actually has a howto for setting up signing/encryption in Outlook, linked from their “freemail” cert pages.

Sven — encryption is, sadly, fairly uncommon at most companies I’ve worked for. Even when I worked (under contract) for the U.S. government, the only time we sent encrypted mail is when I had to forward some SBU logs to another site.

Another concern is that the new post-EnronSarbannes-Oxley regulations place some new requirements/restrictions on logging/archiving business communications. I don’t even pretend to understand the legal implications. Of course, any applicable regulations would be completely different in the rest of the world.

As for the iChat certificate. The iChat can only encrypt if you are using your .mac account (not an AIM-registered account). This is because Apple issues a certificate for user@mac.com, which is the ichat ID.

The bad news is this is worthless for secured chatting if you don’t use the unwieldy address for chatting. The good news is that it just places a certificate in your keychain which means mail.app will now happily use it to sign and or encrypt all email sent from user@mac.com.

What I suspect, but do not know, is that you could just plug in other certificates not issued by apple for iChat since the program just seems to be checking the keychain for a certificate.

Unfortunately, Apple is not yet offering certificates for .Mac aliases. (for those who do not know .Mac allows each email account to have different addresses - user1@mac.com user2@mac.com - which all dump in the email account, but you can add special filtering and Mail.app lists those addresses as a sub-group under the mail .mac account. This is useful as you can have a different address for different groups of people which all are in the same actual account and mail.app will remember to reply using the same address to which they sent their message.) Because ichat only makes an account for the main identity, you can only get a certificate for the main identity. Or, to be more accurate, I have only been able to get one certificate.

Thanks a lot Robert… I had assumed this wouldn’t work as it didn’t in some other tests I did. This is great for .Mac users!

Have you tried sending a signed message to people using non-Mac Mail clients? Did it appear as properly signed on their systems?

Strangely I can’t send you an encrypted message. Mail keeps claiming that I don’t have a public key for your address. I assume that may be because the public key I got for your account is just titled with you .Mac user name rather than you complete .Mac e-mail address. Have you had any more success with that?

None of the people I email with even know certs exist so I don;t have a lot of compatibility info. gmail displays the cert as an attachment, as does .Mac webmail. Entourage marks the certificate as not matching the sender address, but otherwise valid. A sort of partial signage. Entourage will decrypt the encrypted message I sent you after asking for keychain access.

In fact, since you were the first signed message I’ve received I tried sending an encrypted message in case that might give you the info you need to send an encrypted message. However, since the certificate was created in iChat, for iChat, it makes sense that it might just use the username if that is how the AIM server routes messages. Perhaps two .mac email addresses would work?

I have also not been able to use the iChat certificate for email signing and encryption. From looking at the certificate it looks like it does not associat with your full .Mac email address which would be needed to work.

If you enable iChat encryption, .Mac will generate a Certificate and key with your .Mac name and store it in your keychain. This is used to encrypt iChat text and video and works well.

You can also use your .Mac certificate to sign and encrypt email. To do this Open Keychain Access, check that your .Mac certificate is there, then go to the preferences and check “Search .Mac for Certificates”. You can then start Apple Mail, use your .Mac email account, and you will see icons on the right above the message window to toggle on/off encrypting and digital signing of email. Remember, to encrypt email to another person you must have their certificate in your keychain.

In fact, it seems like you’ve unveiled quite a cool option of the keychain there, Jeff. It seems like I can send encrypted Mail to you now that I’ve checked that checkbox in Keychain Access despite not having your certificate in my keychain. I assume the keychain just fetches the certificate as needed from some .Mac server for this to work. Neat.

I wonder why you’ve made no mention of GnuPGP? I have been using it for years, and with MacGPG, and the GPGMail plugin for Mail.app, digital signing and encrypting of email has been effortless and painless.

Of course, the GPGMail plugin for Mail.app broke in Leopard, but the developer says he will have a fixed version in 10 days. GnuPGP is free and easy to use, so give it a whirl.

David: While I personally do use gpg if needed, I thought it’s just too ugly and inconvenient to actually use when using Apple’s Mail. To establish signatures and encrpytion with the lest technically inclined every extra click will put people off and thus Mail’s built-in encryption is preferable.